This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

B-Sides SF: Researchers estimate three 'major' data breaches each month

Share this article:

Verizon Risk researchers Kevin Thompson and Suzanne Widup have been crunching some numbers of data breaches...and they reckon that the number may be higher than you think.

B-Sides SF: Researchers estimate three 'major' data breaches each month
B-Sides SF: Researchers estimate three 'major' data breaches each month

Addressing hackers and InfoSec experts in their “Ripped from the headlines, what the news tells us about information security incidents” speech at B-Sides San Francisco, Widup and Thompson revealed how they have been investigating the data breach numbers since May of last year.

Since then, they've been using Verizon's Data Breach Investigations Report and the open-source Veris Community Database to compile over 3,000 data sets from sources including news articles, Google Alerts, nondisclosure agreements, the Attorney General's website, government breach tools, Freedom of Information Act requests and sometimes – just “asking nicely”.

Thompson admitted that their data analysis is in its early days and as such it's not perfect. He noted reporters getting information wrong, submitted data being duplicated and a lack of data consistency. There also appears to be a slight slant towards government and healthcare data (both of which are required to log major data losses), while the two used data systems (DBIR and VCDB) showed different results. For example, point-of-sale systems were the biggest source of a data leak on Verizon's own Data Breach Investigations Report, while human error was the biggest factor on VCDB.

However, Thompson said that what is not in denial in the sheer number of data breaches. Indeed, he noted Trend Micro's prediction last month of there being a major data breach each month in 2014 and said that that number is actually pretty low.

Using the Poisson Distribution theory to test the frequency of data breaches over a given time, Thompson revealed that major data breaches – which he classified as being over a million records and based on data from 2011 to 2013 – could be as high as three a month

“When I saw Trend Micro's prediction I thought it was pretty high,” said Thompson. “But the estimate is actually pretty low right now. Brace yourselves for an average of 3 [data breaches] a month.”

Thompson later told that the actual figure was 3.07 and that 2010 was not included as data breaches were not as widely reported at the time. “It was hard to tell if the zeros were real or if the breaches were not just being reported”.

Numbers like this have been hard to come by, although security software provider IS Decisions recently estimate that there have been over 300,000 internal security breaches in UK businesses over last year- averaging 1,190 per day. Intelligence consultancy firm Risk Base Security (RBS) estimated last week that there were 2,164 separate incidents, and over 822 million records exposed, in 2013 – nearly doubling the figures set in 2011.

Verizon's data is available on Github and the researchers are actively reaching out to companies and individuals to help them with their data (via They currently have just over 3,000 data sets, a significant rise from last August, when the database had just 1,200 incidents primarily from 2012 to 2013.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...